There are two distinct but inter-related aspects of networked information technology (IT) systems: network security and information security.

4.3.8.1 Network Security Overview

CHART II will employ four levels of network security, three of which are illustrated by figure 4-26. The figure characterizes security as a series of rings with the backbone network impervious to the security needs of outer rings. This approach is consistent with contemporary network security practice that each consumer network—and the network management ring can be considered a consumer network—is responsible for protecting its IT assets because only the consumer knows the value of its information—the backbone cannot implement mechanisms to effectively enforce consumer network and data access security policies.

Figure 4-26. CHART II Network Security

CSC/PBFI Advantage: Three of the four layers of CHART II network security

The CSC/PBFI Team has selected control isolation as the mechanism to protect the backbone network from unauthorized manipulation and usage charge fraud. The ATM network employs a private LAN for network management and usage accounting. CHART network management resources will receive alarms from the backbone fabric but will be unable to reach the backbone control LAN. Backbone network management will be exercised from a workstation directly attached to the control LAN at either the MDOT Enterprise Network Management Center or its alternate.

The network management ring (network) can reach consumer networks but consumer networks cannot reach the network management ring. That is not exactly true, but it is effectively true. The consumer network will be able to reach the network management ring with designated simple network management protocol (SNMP) information and a support e-mail address. Otherwise, the network management ring is isolated.

Note that figure 4-26 illustrates several consumer networks that are touched by the network management ring. Does this mean that something on one consumer network can use the network management ring to directly communicate and do something malicious to another consumer network? The short answer is no. The network management ring will not allow traffic received by it from one consumer network to be routed to another consumer network.

4.3.8.2 Information Security Overview

The CSC/PBFI Team has allocated enforcement of the CHART II security policy—security and protection of CHART II data and computing systems—to the operating system and CHART II database management system.

The first level of defense will be enforcement of a personal security profile for each individual authorized to log onto a CHART II workstation, server, or other intelligent device. Each individual will be assigned one or more roles that include certain system authorizations.

A role can be loosely described as group membership. By assigning individuals to different groups we can control the applications and files they have access to. For example, a particular HOT may have three roles: that of a HOT, that of a supervisory HOT, and that of a system administrator. For the first two roles the person may be registered with one user ID and password. For the latter role, which is highly privileged, the person would be registered with a different user ID and password that would permit system administration and configuration, but would inhibit use of ITS and office automation applications. This approach helps avoid "accidents" that might occur if those applications are run in a privileged mode.

The second level of defense is the capability of our selected RDBMS, Oracle, to enforce a security policy by use of an access control list (ACL). An Oracle ACL can contain individuals and groups and enforce row (record) as well as table (database) granularity. It can even be used to exclude access to a member of a group normally allowed to access a row or table. For example, a person can be assigned to a group called HR. The group HR can access all records of a personnel database. However, this person can be prevented from seeing personnel information about themselves, their supervisors, and others by including the person’s userid on the group member exclusion list for those specific records.

4.3.8.3 Security Architecture Features, Functions, and Approach

The CHART II security requirements, vulnerabilities, threats, and design countermeasure recommendations draw strongly on CSC’s prior studies for the U.S. Department of Transportation, John A. Volpe National Transportation Systems Center: State of Maryland Intelligent Transportation Systems Security Requirements Recommendations, November 1, 1997; and State of Maryland Intelligent Transportation Systems Security Implementation Recommendations, November 1, 1997. The following sections are organized to follow the six areas of protection used in the above Implementation Recommendations document. Table 4-1, below, summarizes the CHART II system security approach. Subsequent sections provide more detail and rationale.

Table 4-1. CHART II System Security Approach

CSC/PBFI Advantage: The CSC/PBFI’s approach draws on prior studies for the U.S. Department of Transportation, John A. Volpe National Transportation Systems Center

Inability to prevent access of outsiders on the Internet to internal CHART II resources

Inability to prevent manipulation of the WWW server by outsiders on the Internet

Access or disruption internal CHART II resources by outsiders

Disruption or corruption of WWW information

Firewall separation of the WWW server and internal CHART II resources

Configuration of the WWW server to minimize vulnerability to known attacks

4.3.8.3.1 User Access Control

The purpose of user access control in CHART II is the automated enforcement of restrictions on the access to CHART II resources (information objects, system resources, and functionality) based on pre-established user access authorizations. In addition to enforcing specific management policies, access control mechanisms can be regarded as providing countermeasures to unlimited/uncontrolled access by inside users and outside attackers.

In CHART II, all normal user functionality for the entire system is by design physically accessible through any CHART II workstation. CHART II systems and workstations are protected from access by other than MDSHA employees by their location in physically controlled spaces. MDSHA employees and others with physical access to CHART II terminals must still have login accounts to access any functions. What information, subsystems, and functions a user with a login account can access is limited to what has been authorized for that individual user. CHART II resources can be categorized as open access and controlled access. Open access resources (data, functions, subsystems) are those that are made available to any CHART II user with a login account.

The principal access control mechanisms are inherent and native to the NT operating systems selected for the CHART II workstation, and on the AVCM Server and FMS server. For structured databases managed by a relational database management system (RDBMS), the RDBMS provides additional granularity of access control to the information objects it stores.

4.3.8.3.2 User Access Authorizations

The purpose of user access authorization is to manage (set up and change) the access authorizations of CHART II users with respect to CHART II resources (information objects, system resources, and functionality), in accordance with management policy. Hence user access authorization is the pre-condition for the application of automated access controls. User access authorization can be specific to the possible modes of access of the particular resource. For example, access authorization for the same object and user can be different for such different modes as reading, viewing, printing, running, pre-empting, editing, adding, deleting, etc.

User access authorizations will be implemented for each of the following controlled access resources:

The capability to access to the Reports subsystem

The capability to print reports

The capability to receive Device Usage Reports

The capability to receive System Health Reports

The capability to assign users to geographic zones

The capability to edit command dictionaries

The capability to change messages on signs from a menu of pre-defined messages

The capability to define ad-hoc sign messages and edit the set of pre-defined messages

The capability to assign users a camera control precedence level

The capability to use camera control GUIs to control the NTSC routes

The capability to create new messages

The capability to change messages

The capability to access system archives via pre-defined SQL queries

The capability to perform file transfers from the data archives

The capability to set system archiving controls

The capability to control automatic incremental backup to storage devices

The capability to export specified map data

The capability to perform Administrator functions, including

Creation/deletion of user accounts

Access to user activity logs/audit trails

Assignment and change control of User authentication/password

Assignment of user authorizations

Assignment of user responsibility zones

4.3.8.3.3 User Identification and Authentication

Identification is a nominal or asserted identity of a system user. Authentication is the process of verification, based on additional evidence of the truth of the claimed identity. The purpose of user identification and authentication (I&A) is to establish verified individual identity of CHART II users in order to:

Ensure correct application of user access controls to each user, and

Ensure correct accountability records are maintained of a user’s activities.

Thus, robust user I&A is required for proper functioning of user access control and user accountability, and a countermeasure for fraudulent access to CHART II resources.

All accounts will require at least a password in addition to a user’s identifier in order to establish verified identity. Sound password management techniques will be used to establish minimum password length and non-dictionary content, and time before a new password is required. All available native password protection mechanisms, such as encrypted password files, and network password protection will be applied.

4.3.8.3.4 User Accountability

The purpose of user accountability is to ensure that each individual user can be held accountable for his or her activities while using the CHART II system. User accountability is based on keeping automated electronic records (logs, or audit trails) of user activities on the system. They serve primarily as a strong deterrent countermeasure to the threat of user misbehavior such as using authorized functions in unauthorized ways or attempting to extend authorizations without management permission. They also provide a basis for after-the-fact determination of deliberate or inadvertent user behaviors that created problems.

User accountability starts with robust I&A in order for the accountability record to give strong evidence of the true identity of the user whose activities are on the record. In order to be valid the accountability record itself must be protected from being changed by any of the users whose activities it is recording.

Several mechanisms in CHART II provide user accountability records. First, the platform operating system audit trails form the base level of user accountability records. These audit trails are important to track user logins and failed login attempts, configuration changes in the platform, and invocation of subsystem applications. However, the platform operating system native audit mechanism is "blind" to the semantics of application-defined user actions, such as changing roadway messages, reading, creating or printing incident reports, etc. In order to create a meaningful record at the application level, each application subsystem in CHART II creates activity logs that record user activities. Like the platform audit trails, these activity logs must be protected from modification or deletion by other than an authorized administrator.

4.3.8.3.5 Communication Security

The purpose of communication security mechanisms is toprotect information as it is transferred between system platforms from unauthorized origination, viewing/copying, modification, and deletion. Protection against unauthorized origination implies the valid identification and authentication of the point of information origination. Threats can come from passive data capture (network tapping or "sniffing), active false data origination, data corruption, or data deletion. Confidentiality of typical application information on the CHART II system is not required. However, the need for strong communication confidentiality originates in the need to protect passwords and other entity authentication information from disclosure – since it could in turn be used to commit fraudulent impersonations to defeat or manipulate access control and accountability mechanisms.

The types of communications, threats and countermeasures in CHART II are described under the following categories:

Inter-Center Communications

Intra-Center Communications

Center- Device Communications

The variants, threats, and countermeasures, for each of these, are discussed below.

4.3.8.3.6 Inter-Center Server Communications Security

Inter-Center communications are carried on an ATM network. The switches are physically protected by location within the district/TOC, SOC, and AOC facilities. The transmission paths between ATM switches are logical switch-to-switch data channels built from a mix of state-owned and commercial carrier fiber and related multiplex hierarchies. While these data channels are not highly exposed, there is no assurance of security, since they are exposed to unknown commercial carrier workers in manholes and wire centers, where they are subject to threats of data capture, mis-routing, false origination, and manipulation. Moreover, the ATM switched network is not used exclusively by CHART II subsystems. It is also used by other Maryland State systems. The ATM network therefore has the potential vulnerability for unauthorized connectivity to non-CHART II systems and to whatever they are connected.

The use of the native Windows NT platform-to-platform encryption capability, called "Point-to-Point Tunneling Protocol" (PPTP) on all servers and workstations will serve as an adequate countermeasure to the identified threats to server-server and workstation-server Inter-Center communications. PPTP forms an encrypted "tunnel" between communicating NT platforms, independent of what applications are passing data, and independent of the ATM switches and transmission media. Because of the protection provided by this built-in platform-to-platform encryption service, there is no need for any ATM-level encryption devices.

CCTV data is compressed video that carries no private information, and would not cause any lasting database corruption if it were altered. Since it passes directly between camera equipment and display monitors, it is outside the protection envelope provided by the NT platform-to-platform PPTP. The risk imposed to CHART II by this residual exposure is judged to be insufficient to justify CCTV-specific countermeasures.

4.3.8.3.7 Intra-Center Communications

Communications between CHART II workstations and servers within Center premises is via LAN that is physically protected by being enclosed within the same facility. The threats to this data are minimal. However when the CHART II workstations communicate with servers at other centers (e.g., a District-4 user retrieving e-mail from an e-mail server at the SOC) the traffic flows outside the LAN via a router interfaced to the switched ATM backbone. This traffic is subject to the same threats as all other Inter-Center communications. Because PPTP will be used on all NT platforms to protect inter-Center traffic (as described in Section 5.6.5.1), PPTP-protection within the local facility for data passing over the LAN is also provided automatically – without requiring any additional mechanism.

4.3.8.3.8 Center-Device Communications Security

Servers in each center need to communicate with a number of external devices that either collect sensor data or display or transmit information to drivers. The principal issues for communications with these devices are authenticity, integrity, and availability. In CHART II, all communication between a Center and a remote device is originated by the Center. Table 4-2 summarizes the types of Center-Device communications by device, transmission method, and information coding method.

Table 4-2. Center-Device Communications

CSC/PBFI Advantage: All communication between a Center and a remote device is originated by the Center

I/O Device Type

Transmission Method

Information Coding Method

Fixed VMS – Variable Message Signs

Center-addressed, multidrop, copper pair circuit

Digital (DDS)

Traffic Signals

Center-addressed, multidrop, copper pair circuit

Digital (modem)

TAR – Travelers Advisory Radio

Center-dialed wireline POTS (to two terminations)

Control Port: DTMF signals

Message Port: Digital (modem)

T170E Buried Loop Detectors

Center-originated ISDN or DDS

Digital (ISDN or DDS)

T170 E Microwave Detectors

Center-originated ISDN or DDS

Digital (ISDN or DDS)

Traffic Signals

Center-dialed, wireline POTS

Digital (modem)

RWIS - Roadway Weather Information System

Center-dialed, wireline POTS

Digital (modem)

SHAZAM

Center-dialed, wireline POTS

DTMF signals

Portable VMS – Variable Message Signs

Center-dialed cellular

Digital (modem)

RTMS Microwave Detectors

Center-originated ISDN or DDS

Digital (ISDN or DDS)

Devices that are hard-wired via a dedicated multidrop circuit are at minimal risk of electronic intrusion, since intrusion would require physically locating and making connection to the circuit wire-pair. This category of device includes fixed VMS and some traffic signals devices. The principal threat to these devices is accidental loss-of-connectivity due to an inadvertent wire cut, for which electronic countermeasures are inapplicable.

Devices that are reached via center-dialed wireline "plain old telephone service" (POTS) are vulnerable to threats of unauthorized dial-up access. While "wiretap" electronic intrusion is possible, it is a far smaller risk than unauthorized dial-up attacks, since intrusion would require physically locating and making connection to the circuit wire-pair between the device and the central telephone office. Devices in this category include TAR stations, T170E loop and microwave detectors, RWIS sensors, Shazam indicators, and some traffic signals.

The countermeasures to unauthorized dial-up attacks include unlisted, non-sequential numbers, no-response-until-authentication, and authenticating codes. The use of unlisted, non-sequential phone numbers serves to minimize the denial-of-service effect where the devices are unavailable due to being busy (off-hook) during unauthorized access attempts. The authenticating codes and no-response-until-authentication are ultimately more critical than unlisted numbers, since these numbers will not remain secret indefinitely.

Devices that are reached via center-dialed cellular service are vulnerable to all the unauthorized dial-up threats of wireline POTS, plus threats that derive from being able to monitor the protocols and authentication codes on the air. Devices in this category include portable VMS displays. The countermeasures to unauthorized dial-up include unlisted, non-sequential numbers, no-response-until-authentication, and one-time or challenge-response authenticating codes. An authentication mechanism that is robust against attacks based on listening to prior exchanges is required as a countermeasure to the ability of potential attackers to monitor the cellular signals.

Devices reached via wireline ISDN switched service are vulnerable to unauthorized switched-ISDN dial-up threats. Devices in this category include RTMS microwave detectors. Attacks could come initially only from attackers with their own switched ISDN service. However, value-added ISDN servers are becoming available through Internet Service Providers and other common carriers that will enable anyone worldwide with Internet access to reach an ISDN-terminated device. Countermeasures include unlisted, non-sequential ISDN numbers, and strong authentication codes.

4.3.8.3.9 External System Interface Security

The purpose of external system interface security in CHART II is to protect CHART II resources from unauthorized disclosure, modification, insertion, or operational disruption by a non-CHART II system with a physical/electrical/functional interface to CHART II. CHART II has two kinds of external interfaces: Other intelligent transportation systems, and the general public via the Internet. Each of these is discussed below.

4.3.8.3.10 Other Transportation Systems Interface Security

CHART II has interfaces to several other external transportation systems for information interchange, specifically with the VDOT signals control system, the Montgomery County system, the PIM, the VDOT TMS, and with the IEN. It is assumed that the users of these other systems are not individually known to nor administered as CHART II users. The threat to CHART II is unauthorized access to its resources from unknown users on other systems.

Query access is required by each of the external systems to the CHART II Database. Because these external systems each "speaks" in a different legacy format, there is a functional requirement for a protocol translator (PT) interface. This PT will also serve as screening device or "firewall" that restricts access to only the CHART II Database in accordance with the agreed information exchange between CHART II and the particular external system. For CHART II accountability, each PT or a particular database session is treated as a pseudo-user, so that all externally originated transactions are logged as from that "user." It is the responsibility of the external system to control access to their users to the CHART II PT, and to maintain accountability records for those accesses.

4.3.8.3.11 External General Public Interface Security

CHART II will provide a World Wide Web (WWW) server with information intended to be disseminated to the general public in the form of a WWW service accessible from the public Internet. The security threats to CHART II from this interface include

Penetration of the WWW server and its use as a staging point for penetration into other CHART II systems.

Penetration of the WWW server for purposes of service theft (e.g., serving as a secret mail server, file staging point, attack staging point against other systems, etc.)

Penetration of the WWW server for purposes of posting erroneous, misdirecting, or vandalized information. This is the electronic equivalent of graffiti.

All three of these threat scenarios involve penetration of the WWW server itself. It is therefore important for the WWW server to be configured securely. This means it must run only WWW display services and allow management/upload only from CHART II -- with all other services that provide potential openings to penetration attack disabled.

The first of the above three threats is the most serious. It has the potential to disrupt or corrupt other CHART II functionality besides the WWW server itself. Even under the assumption that the WWW server is penetrated, this threat must be stopped by other means.

To counter this threat, the WWW server will not be directly connected to the internal CHART II network. Instead, a firewall device will mediate access to the WWW server from the Internet and from the SOC LAN, permitting no access between the SOC LAN and the Internet. This firewall will permit the WWW server to be managed and have new information uploads from inside the CHART II network, yet deny access to internal CHART II functions originating on the WWW server or on the Internet. The firewall will also log suspicious activities. Thresholds will be settable by administrators to notify administrators of these events. One response to a clear attack is to "unplug" the firewall and WWW server from the internal CHART II systems to protect it.